Good evening from Germany, I installed (for the very first time) freeradius on an Ubuntu 18.04 box. The version is 3.0.16. I would like to use freeradius to authenticate my users against Samba passwords using ntlm_auth. I followed EXACTLY the instructions on the website deployingradius.com, beginning from the initial setup to the last step, "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP". Only this last step fails, and I have no idea why. This is an excerpt of the debug output: *** (2) Found Auth-Type = mschap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) mschap: Client is using MS-CHAPv1 with NT-Password (2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OEGNET} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap: --> --username=om (2) mschap: ERROR: No NT-Domain was found in the User-Name (2) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-OEGNET} (2) mschap: --> --domain=OEGNET (2) mschap: mschap1: 12 (2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (2) mschap: --> --challenge=12473d849ab42a45 (2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2) mschap: --> --nt-response=7cba13f9a4b65406feb11d25441a189c18b2389b0fe6e922 (2) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (2) mschap: External script failed (2) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (2) mschap: ERROR: MS-CHAP2-Response is incorrect (2) [mschap] = reject (2) } # authenticate = reject (2) Failed to authenticate the user *** I tried with 'radtest -t mschap ...' getting the following answer: *** root@hermes:/etc/freeradius.old# radtest -t mschap om topsecret localhost 0 testing123 Sent Access-Request Id 18 from 0.0.0.0:37196 to 127.0.0.1:1812 length 128 User-Name = "om" MS-CHAP-Password = "topsecret" NAS-IP-Address = 192.168.6.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "topsecret" MS-CHAP-Challenge = 0x6d7f7ccb15612a8a MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000db860e0276efb23bc02d3a0f2f5d0977ae73f0b6ea6f3937 Received Access-Reject Id 18 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=9c9615bf2537c293 V=2" (0) -: Expected Access-Accept got Access-Reject *** Any advices are highly welcome. Kind regards, Jürgen
On Aug 31, 2018, at 1:36 PM, Jürgen Obermeyer <om@oegym.de> wrote:
I installed (for the very first time) freeradius on an Ubuntu 18.04 box. The version is 3.0.16. I would like to use freeradius to authenticate my users against Samba passwords using ntlm_auth. I followed EXACTLY the instructions on the website deployingradius.com, beginning from the initial setup to the last step, "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP". Only this last step fails, and I have no idea why. This is an excerpt of the debug output:
***
(2) Found Auth-Type = mschap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) mschap: Client is using MS-CHAPv1 with NT-Password (2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OEGNET} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap: --> --username=om (2) mschap: ERROR: No NT-Domain was found in the User-Name (2) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-OEGNET} (2) mschap: --> --domain=OEGNET (2) mschap: mschap1: 12 (2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (2) mschap: --> --challenge=12473d849ab42a45 (2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2) mschap: --> --nt-response=7cba13f9a4b65406feb11d25441a189c18b2389b0fe6e922 (2) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
That error comes from Samba. FreeRADIUS is just sending the MS-CHAP information over. And Samba is saying that it's wrong.
I tried with 'radtest -t mschap ...' getting the following answer:
***
root@hermes:/etc/freeradius.old# radtest -t mschap om topsecret localhost 0 testing123 Sent Access-Request Id 18 from 0.0.0.0:37196 to 127.0.0.1:1812 length 128 User-Name = "om" MS-CHAP-Password = "topsecret" NAS-IP-Address = 192.168.6.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "topsecret" MS-CHAP-Challenge = 0x6d7f7ccb15612a8a MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000db860e0276efb23bc02d3a0f2f5d0977ae73f0b6ea6f3937 Received Access-Reject Id 18 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=9c9615bf2537c293 V=2" (0) -: Expected Access-Accept got Access-Reject
Well, radclient implements MS-CHAP correctly. And again, FreeRADIUS is just handing the MS-CHAP data to Samba, and having Samba authenticate it. Maybe there's a Samba debug output you could look at to see what it's doing. Or, is Samba going to Active Directory? If so, then maybe Samba hasn't properly joined the Active Directory domain. Alan DeKok.
Well, radclient implements MS-CHAP correctly. And again, FreeRADIUS is just handing the MS-CHAP data to Samba, and having Samba authenticate it.
Not able to get ntlm_auth working, I switched now to krb5. 'radtest' says: *** root@hermes:~# radtest om topsecret localhost 0 testing123 Sent Access-Request Id 34 from 0.0.0.0:41742 to 127.0.0.1:1812 length 72 User-Name = "om" User-Password = "topsecret" NAS-IP-Address = 192.168.6.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "topsecret" Received Access-Accept Id 34 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 *** And the debug output is: *** (0) Received Access-Request Id 34 from 192.168.0.1:41742 to 127.0.0.1:1812 length 72 (0) User-Name = "om" (0) User-Password = "topsecret" (0) NAS-IP-Address = 192.168.6.1 (0) NAS-Port = 0 (0) Message-Authenticator = 0xa81ba8bb09dc97f2bb249085b847fc16 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "om", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Kerberos (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type Kerberos { rlm_krb5 (krb5): Reserved connection (0) (0) krb5: Using client principal "om@OEGYM.DE" (0) krb5: Retrieving and decrypting TGT (0) krb5: Attempting to authenticate against service principal rlm_krb5 (krb5): Released connection (0) Need 5 more connections to reach 10 spares rlm_krb5 (krb5): Opening additional connection (5), 1 of 27 pending slots used (0) [krb5] = ok (0) } # Auth-Type Kerberos = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 34 from 127.0.0.1:1812 to 192.168.0.1:41742 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 34 with timestamp +8 Ready to process requests *** May I ignore the "PAP WARNINGS"? And will wireless clients (or the users) authenticate if 'radtest' (via ssh) is successfull? Jürgen
On Sep 1, 2018, at 8:17 AM, Jürgen Obermeyer <om@oegym.de> wrote:
Not able to get ntlm_auth working, I switched now to krb5. 'radtest' says:
That's good, but we don't need to see the output of radtest.
May I ignore the "PAP WARNINGS"?
Yes.
And will wireless clients (or the users) authenticate if 'radtest' (via ssh) is successfull?
Only EAP-TTLS will work. PEAP will not. That's because only EAP-TTLS supplies the clear text password that is needed by krb5. Something is very wrong with the Samba / AD infrastructure if MS-CHAP doesn't work. Alan DeKok.
participants (2)
-
Alan DeKok -
Jürgen Obermeyer